diff --git a/pkg/component/component.go b/pkg/component/component.go
index bc87000761..d0261e7538 100644
--- a/pkg/component/component.go
+++ b/pkg/component/component.go
@@ -27,7 +27,7 @@ import (
 	"syscall"
 
 	"go.opentelemetry.io/otel/trace"
-	mtlsauth "go.thethings.network/lorawan-stack/v3/pkg/auth/mtls"
+	"go.thethings.network/lorawan-stack/v3/pkg/auth/mtls"
 	"go.thethings.network/lorawan-stack/v3/pkg/auth/rights"
 	"go.thethings.network/lorawan-stack/v3/pkg/cluster"
 	"go.thethings.network/lorawan-stack/v3/pkg/config"
@@ -97,7 +97,7 @@ type Component struct {
 	taskStarter task.Starter
 	taskConfigs []*task.Config
 
-	caStore *mtlsauth.CAStore
+	caStore *mtls.CAStore
 
 	limiter ratelimit.Interface
 }
@@ -207,7 +207,7 @@ func New(logger log.Stack, config *Config, opts ...Option) (c *Component, err er
 	if err != nil {
 		return nil, err
 	}
-	c.caStore, err = mtlsauth.NewCAStore(ctx, caStoreFetcher)
+	c.caStore, err = mtls.NewCAStore(ctx, caStoreFetcher)
 	if err != nil {
 		return nil, err
 	}
@@ -455,6 +455,6 @@ func (c *Component) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 }
 
 // CAStore returns the component's CA Store.
-func (c *Component) CAStore() *mtlsauth.CAStore {
+func (c *Component) CAStore() *mtls.CAStore {
 	return c.caStore
 }
diff --git a/pkg/gatewayserver/gatewayserver.go b/pkg/gatewayserver/gatewayserver.go
index 1f1020fe1f..1c6c485d77 100644
--- a/pkg/gatewayserver/gatewayserver.go
+++ b/pkg/gatewayserver/gatewayserver.go
@@ -29,7 +29,7 @@ import (
 	"time"
 
 	"github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
-	mtlsauth "go.thethings.network/lorawan-stack/v3/pkg/auth/mtls"
+	"go.thethings.network/lorawan-stack/v3/pkg/auth/mtls"
 	"go.thethings.network/lorawan-stack/v3/pkg/cluster"
 	"go.thethings.network/lorawan-stack/v3/pkg/component"
 	"go.thethings.network/lorawan-stack/v3/pkg/config"
@@ -113,7 +113,7 @@ func (gs *GatewayServer) Context() context.Context {
 
 // CertificateVerifier abstracts certificate verification functions.
 type CertificateVerifier interface {
-	Verify(ctx context.Context, clientType mtlsauth.ClientType, cn string, cert *x509.Certificate) error
+	Verify(ctx context.Context, clientType mtls.ClientType, cn string, cert *x509.Certificate) error
 }
 
 var (
@@ -439,9 +439,9 @@ func (gs *GatewayServer) FillGatewayContext(ctx context.Context, ids *ttnpb.Gate
 			return nil, nil, err
 		}
 	}
-	if cert := mtlsauth.ClientCertificateFromContext(ctx); cert != nil {
+	if cert := mtls.ClientCertificateFromContext(ctx); cert != nil {
 		// Verify the client certificate.
-		err := gs.certVerifier.Verify(ctx, mtlsauth.ClientTypeGateway, types.MustEUI64(ids.Eui).String(), cert)
+		err := gs.certVerifier.Verify(ctx, mtls.ClientTypeGateway, types.MustEUI64(ids.Eui).String(), cert)
 		if err != nil {
 			return nil, nil, errUnauthenticatedGatewayConnection.WithCause(err)
 		}
diff --git a/pkg/rpcmiddleware/proxy_headers.go b/pkg/rpcmiddleware/proxy_headers.go
index 4bc6e18a16..b5447dafd9 100644
--- a/pkg/rpcmiddleware/proxy_headers.go
+++ b/pkg/rpcmiddleware/proxy_headers.go
@@ -22,7 +22,7 @@ import (
 	"strings"
 
 	grpc_middleware "github.com/grpc-ecosystem/go-grpc-middleware"
-	mtlsauth "go.thethings.network/lorawan-stack/v3/pkg/auth/mtls"
+	"go.thethings.network/lorawan-stack/v3/pkg/auth/mtls"
 	"go.thethings.network/lorawan-stack/v3/pkg/log"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/metadata"
@@ -126,10 +126,10 @@ func (h *ProxyHeaders) intercept(ctx context.Context) (context.Context, metadata
 		if forwardedFor != "" {
 			md.Set(headerXRealIP, strings.TrimSpace(strings.Split(forwardedFor, ",")[0]))
 		}
-		if cert, ok, err := mtlsauth.FromProxyHeaders(getLastFromMD(md)); err != nil {
+		if cert, ok, err := mtls.FromProxyHeaders(getLastFromMD(md)); err != nil {
 			log.FromContext(ctx).WithError(err).Warn("Failed to parse client certificate from proxy headers")
 		} else if ok {
-			ctx = mtlsauth.NewContextWithClientCertificate(ctx, cert)
+			ctx = mtls.NewContextWithClientCertificate(ctx, cert)
 		}
 	} else {
 		// We don't trust the proxy, remove its headers.
diff --git a/pkg/webmiddleware/proxy_headers.go b/pkg/webmiddleware/proxy_headers.go
index eef8d20bb3..21314d8bf1 100644
--- a/pkg/webmiddleware/proxy_headers.go
+++ b/pkg/webmiddleware/proxy_headers.go
@@ -21,7 +21,7 @@ import (
 	"regexp"
 	"strings"
 
-	mtlsauth "go.thethings.network/lorawan-stack/v3/pkg/auth/mtls"
+	"go.thethings.network/lorawan-stack/v3/pkg/auth/mtls"
 	"go.thethings.network/lorawan-stack/v3/pkg/log"
 )
 
@@ -103,10 +103,10 @@ func ProxyHeaders(config ProxyConfiguration) MiddlewareFunc {
 				if forwardedHost != "" {
 					r.URL.Host = forwardedHost
 				}
-				if cert, ok, err := mtlsauth.FromProxyHeaders(r.Header); err != nil {
+				if cert, ok, err := mtls.FromProxyHeaders(r.Header); err != nil {
 					log.FromContext(ctx).WithError(err).Warn("Failed to parse client certificate from proxy headers")
 				} else if ok {
-					ctx = mtlsauth.NewContextWithClientCertificate(ctx, cert)
+					ctx = mtls.NewContextWithClientCertificate(ctx, cert)
 				}
 			} else {
 				// We don't trust the proxy, remove its headers.